Alert issued to update Citrix ADC, Gateway devices

Share post:

Citrix has issued a critical alert calling for immediate action to install updates to certain models of its Application Delivery Controller (ADC) and Gateway products after the discovery of a zero-day vulnerability allowing threat actors to bypass authentication controls.

“Citrix strongly urges affected customers of Citrix ADC and Citrix Gateway to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible,” the alert says. “Exploits of this issue on unmitigated appliances in the wild have been reported.”

Separately, the U.S. National Security Agency (NSA) issued an advisory with detection and mitigation guidance for tools leveraged by a malicious actor that focuses on exploiting these two products.

The exploit, CVE-2022-27518, is described as allowing unauthenticated remote arbitrary code execution. It affects the following customer-managed products:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

IT environments with Citrix-managed cloud services or Citrix-managed Adaptive Authentication don’t have to take action. Citrix ADC and Citrix Gateway version 13.1 is unaffected.

To be vulnerable, devices must be configured to use Security Assertion Markup Language (SAML) for a single sign-on login, either SAML SP (service provider) or SAML IdP (identity provider). Admins should inspect the ns.config file to see if the line “add authentication samlAction” or “add authentication samlIdPProfile” is present in the affected models. If so they must be updated.

In its advisory the NSA said a threat actor known to security researchers as APT5, UNC2630 or Manganese is going after Citrix ADC and Gateway products.

For defence, it recommends Citrix administrators check key executables, or binaries, such as nsppe, nsaaad, nsconf, nsreadfile, and nsconmsg against known good copies for file integrity.

“A malicious actor enabling continued access [to an IT environment] will likely require modification to legitimate binaries,” the advisory explains.

NSA also recommends that organizations take scheduled tech support bundles and/or snapshots of their running environment and store them in an offline or otherwise immutable location to create a forensic history of systems. These backups can be used to compare running instances or to reconstruct events if suspicious activity is identified, it says.

The advisory also recommends that administrators leverage off-device logging mechanisms for all system logs to look for suspicious behaviour. For example, this particular threat actor is known to leverage the tools that run “pb_policy.” It will show up in logs without being linked to expected administrator activity.

The advisory includes Yara signatures that can be used to detect malware seen being used by this threat actor in this campaign.

If any suspicious activity is detected, all Citrix ADC instances should be moved behind a VPN or other capability that requires valid user authentication (ideally multi-factor) prior to being able to access the ADC, the NSA says.  Isolate the Citrix ADC appliances from the environment to ensure any malicious activity is contained. Then restore the Citrix ADC to a known good state.

The post Alert issued to update Citrix ADC, Gateway devices first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways